Network Security (contd.)

04/19/23 Tutorial on Network Security: Sep 2003

1

Network Security (contd.)Network Security (contd.)

Bijendra Jain([email protected])


2

Lecture 3: Public-key Lecture 3: Public-key cryptographycryptography


3

Public-key cryptographyPublic-key cryptography

Public-key cryptography is not necessarily more secure than private-key cryptography

Private-key cryptography is not obsolete—it still is exceptionally useful

Distribution of keys in public-key cryptography is not trivial-- Public-key cryptography has attempted to address this issue head-on


4

Public-key cryptographyPublic-key cryptography Public-key cryptography requires the use of

two keys:– One for encryption– A related one for decryption

One key is kept private, while the other is made public

Can either key be used for encryption, and the other for decryption:– YES, for RSA


5

Public-key cryptography: confidentialityPublic-key cryptography: confidentiality

Used for Confidentiality:


6

Public-key cryptography: confidentialityPublic-key cryptography: confidentiality

Used for confidentiality:


7

Public-key cryptography: authenticationPublic-key cryptography: authentication

Used for authentication:


8

Public-key cryptography: authenticationPublic-key cryptography: authentication

Used for authentication:


9

Confidentiality Confidentiality andand authentication authentication

Used for :


10

Public-key cryptographyPublic-key cryptography Easy for B to generate keys, (private) KRB and (public) KUB

Easy for sender A to encrypt C = EKUB (M), given M and KUB

Easy for receiver B to decrypt M = DKRB (C), given C and KRB

Given KUB it is infeasible for others to determine KRB

Given KUB and ciphertext C it is infeasible for others to decipher M

(optionally) encryption and decryption can be applied in any order

Function E (or D) is “one-way function with trap-door”– The inverse of E (or D) is infeasible, unless additional information

(trap-door) is available


11

RSA algorithmRSA algorithm Approach first suggested by Diffie and Hellman Invented by Rivest, Shamir, Adleman at MIT, first

published in 1978 Algorithms are patented Block cipher, where plaintext is < n Permits any key length

– typically 128 through 1014 is common


12

RSA algorithmRSA algorithm Consider n, and blocks of size k bits s.t.

2k < n 2k+1. Encryption and decryption algorithms:

C = Me mod n M = Cd mod n = Med mod nwheresender knows public key KU = {e, n}receiver knows private key KR = {d, n}

For this to be a public-key crypto system:– M = Med mod n for some e, d, n for all M < n– Easy to calculate Me mod n, and Cd mod n– Infeasible to determine d, given e and n


13

RSA algorithmRSA algorithm Key generation

– Select any prime numbers p, q– Compute n = p*q– Compute phi = (p-1)*(q-1)– Select e, such that 1< e < phi, and gcd(phi, e) = 1– Find d such that ed = 1 mod phi– Public key KU = {e, n}– Private key KR = {d, n}

Encryption, decryption algorithms: for any plaintext M < nC = Me (mod n)M = Cd (mod n)

Can be shown that M = Cd mod n = Med mod n


14

RSA: exampleRSA: exampleLet p = 7, q = 17

N = p*q = 119

Phi = (p-1)*(q-1) = 96

Select e = 5 (note e is relatively prime to 96, and < 96)

Find d =77 (note d*e = 1 mod 96, and d < 96)

KU = {5, 119}, KR = {77, 119}

Let M = 19 (note M < 119)

Encryption step: C = 19**5 = 2476099 mod 119 = 66

Decryption step: M = 66**77 = 127………. mod 119 = 19


15

RSA: computational aspectsRSA: computational aspects Computing C = Me (mod n)

– use the following two properties:

1. A * B mod n = (A mod n)*(B mod n) mod n

Or, e.g., 195 mod 119 = (192 mod 119) * (193 mod 119) mod 119

2. A**8 = (A**4)**2 = ((A**2)**2)**2

Or, 19**9 = (19**8)*(19**1) = (((19**2)**2)**2)*(19**1)


16

RSA: key generationRSA: key generation Selecting two primes: p, q

– Should be very large Since M < n = p*q Infeasible to calculate factors p, q of n by exhaustive search

– Finding large primes Pick a large number randomly, and then test

Selecting e, relative prime to phi = (p-1)*(q-1)– Pick an e, and test for relative primality– Extended Euclid’s algorithm computes gcd, and inverse, d


17

RSA: its strengthRSA: its strength Brute force Factor n to obtain p and q

– Then calculate phi = (p-1)*(q-1), and then invert e to obtain d “Factor” n to obtain phi

– Then invert e to obtain d Progress towards meeting challenges

– Ciphers using RSA with keys of size up to 431 bits have been deciphered Effort involved was only 500 MIPS-years (1 MIPS machine working for 1 year

– a 200 MHz Pentium is 50 MIPS) A 2048 bit RSA is expected to require 1014 MIPS-years Today, and for the near future, consider RSA key size of 1024 to

2048 Additionally consider selecting p and q appropriately, such as p and q

are of approx. same length, etc.


18

RSA: distribution of public keysRSA: distribution of public keys Public announcements Directory on the web, where data is secured Public-key authority Certificates


19

RSA: distribution of public keysRSA: distribution of public keys Public announcements

– Public key is “public”– User can share his/her public with others– Popular with PGP– However, one may even send “false” keys


20

RSA: distribution of public keysRSA: distribution of public keys Publicly accessible directory

– By a trusted and well known “authority”– Individual users “register” their public key using some other

means– Public keys are secure– For instance on the web, or printed directory– Individual users control, update their public keys, and do so

in a secure manner– Weaknesses:

Break into the authority’s database Alter the key during communication


21

RSA: distribution of public keysRSA: distribution of public keys Public-key authority

– Very similar to publicly accessible directory– Different: user can request/obtain public key in secure manner

Initiator A

X, PK authority

1. REQ (KUB, T1)

2. ENCKUX(KUB, REQ (KUB, T1))

Initiator B

X, PK authority

4. REQ (KUA, T2)

5. ENCKUX(KUA, REQ (KUA, T2))

3. ENCKUB(IDA, N1)

6. ENCKUA(IDB, N1, N2)

7. ENCKUB(N2)


22

RSA: distribution of public keysRSA: distribution of public keys Public-key certificates

– Certificates need not be issued each time– Sender provides public key with a certificate– Receiver checks the certificate, thereby confirms public key– A certificate:

Anyone can read, determine the owner’s public key Anyone can verify that certificate is signed by authority Only certificate can create certificate Anyone can check “currency” of certificate


23

RSA: CertificatesRSA: Certificates

CERTA = ENCPUX (IDA, KUA, TA, DURA)

where PUX is public key of certification authority

IDA is user ID

KUA is public key of A

TA is time of issuance of certificate

DURA is the duration for which the certificate is valid


24

Lecture 4:Lecture 4:Message AuthenticationMessage Authentication


25

Message authenticationMessage authentication Source of Message

– Protection against masquerading

Integrity of message– Protection against modification

Integrity of sequence of messages– Protection against deletion, addition and re-ordering

Integrity of timing– Protection against delay and replay


26

Using private-key encryptionUsing private-key encryption Encrypt message using private-key encryption

system– Basically provides confidentiality– Authentication and Integrity check are difficult, but possible

Particularly if it is some bit sequence Use an FCS (frame check sequence), as in TCP

Integrity of a sequence of TCP messages can also be ensured

Does not provide for non-repudiation


27

Using public-key encryptionUsing public-key encryption Similar, except that it only provides for authentication Again, the transmitted message must have some

structure (FCS, for example)


28

Message Authentication CodesMessage Authentication Codes Integrity check is not difficult any more Based on private-key encryption Transmitted message in (M, MAC)

MAC = CK(M)

where:– C is MAC algorithm,– K is the shared key

Provides for message integrity, user authentication, but not non-repudiation


29

Message Authentication CodesMessage Authentication Codes Algorithm C differs:

– from encryption in that it is NOT reversible– From FCS, etc. in that it is not easy to design a new

message with same FCS– From use of hash functions, in that encryption and “hashing”

is simultaneous

Algorithm C is more difficult to crack


30

Message authentication codesMessage authentication codes Authentication based on MAC-- superior since it is efficient

Authentication based on appending an FCS, then encrypting

FCS is a bad idea, anyway

Data sentMessage E()

K

||

fcs()

Data sentMessage ||

MAC()

K


31

Message authentication: alternativesMessage authentication: alternatives

Data sentMessage ||

H() E()

K

Data sentMessage ||

H()

E()

K


32

Digital SignatureDigital Signature

Data sentMessage ||

H() E()

KR


33

Message authentication: alternativesMessage authentication: alternatives

Data sentMessage ||

H()

Secret K

||

This approach completely does away with encryption– Efficient– Strength depends completely on how good is the hashing function


34

MAC codesMAC codes MAC is also known as cryptographic checksum Transmitted message in (M, MAC)

MAC = CK(M)

where:– C is MAC algorithm,– MAC is n bit long– M is variable length message– K is k-bit shared key

MAC requirements:– Given M, CK(M) it should be computationally infeasible to obtain M’ s.t. MAC

= CK(M) = CK(M’)

– MAC = CK(M) should be uniformly distributed, or for random M, M’

Prob (CK(M) = CK(M’) = 2-n

– Similarly if M’ is obtained by carrying out simple transformations


35

MAC CodesMAC Codes 64 bit DAA (Data Authentication Algorithm) is based

on DES:O1 = EK(D1)

O2 = EK(O1 D2)

O3 = EK(O2 D3)

…

…

ON = EK(ON-1 DN)


36

Hash functionsHash functions

Requirements of a hash function:– Can be applied to block of data of any size– Produces a fixed length digest– Easy to compute h = H(M)– One-way function: given h, it must be computationally infeasible to

compute M such that h = H(M)– Weak collision: Given M, it must be computationally infeasible to

compute M’ such that H(M’) = H(M)– Strong collision: computationally infeasible to find M, M’ such that

H(M’) = H(M)

Data sentMessage ||

H() E()

KR


37

Hash functionsHash functions

Simple hash function:O1 = D1

O2 = O1 D2

O3 = O2 D3

…

…

ON = ON-1 DN

MD4, MD5


38

MD5MD5

Develop in 1992, by Ron Rivest 128 bit hash code Processes 512 bits at a time (add padding bits if necessary) 4 rounds of 16 steps each, involving gcd, and + mod 232

operations

Y0 Y1 … … YL…

IV

CV1

HMD5 HMD5HMD5 HMD5

CV2 CVL-1 CVL


39

MD4MD4 Similar to MD5, developed earlier in 1990 by Ron Rivest 128 bit hash code, processes 512 bits at a time 3 rounds of 16 steps each, involving gcd, and + mod 232

operations faster


40

SHA-1 hash functionSHA-1 hash function

Developed by NIST in 1995 Based on MD4 160 bit hash Operates on blocks of length 512 bit More secure against brute force attacks Appears to be secure against cryptanalysis MD5 and SHA-1 are equally fast, simple


41

HMACHMAC Truly a MAC Required for IPSec Based on hash functions Any “good” hash function can be used The “IV” can be kept secret (becomes the key) MD5 or SHA-1 can be used


42

ThanksThanks

Network Security (contd.)

Documents

publickey cryptographyeasy

decryptionone key

private key kr

mod phipublic key ku

network security contd

publickey crypto system

qcompute n

public kubeasy